{"catalog":{"uuid":"af79700c-09a3-435c-bc35-bce9495f3afc","metadata":{"links":[{"rel":"source-profile","href":"https://api.dev.comply0.com/v1/profiles/128a579f-213e-4d31-85cf-2413caed1ea5"}],"props":[{"name":"resolution-tool","value":"Comply0"}],"title":"CyFun 2025 BASIC Resolved","version":"2025-12-12","document-ids":[{"scheme":"http://oscal.io/oscal/identifier/content-uuid","identifier":"edd2523d-516f-4157-b7a9-16765ddf7ad1"}],"last-modified":"2025-12-16T22:17:46.130Z","oscal-version":"1.1.3"},"groups":[{"id":"GV","props":[{"name":"sort-id","value":"01"}],"title":"GOVERN","groups":[{"id":"GV.OC","parts":[{"name":"overview","prose":"The circumstances - mission, stakeholder expectations, dependencies, and legal, regulatory, and contractual requirements - surrounding the organisation's cybersecurity risk management decisions are understood."}],"props":[{"name":"label","value":"GV.OC"},{"name":"sort-id","value":"01-001"}],"title":"Organisational Context","groups":[{"id":"GV.OC-03","props":[{"name":"label","value":"GV.OC-03"},{"name":"sort-id","value":"01-001-003"}],"title":"Legal, regulatory, and contractual requirements regarding cybersecurity are understood and managed.","controls":[{"id":"GV.OC-03.1","parts":[{"id":"GV.OC-03.1_smt","name":"statement","prose":"Legal and regulatory requirements regarding information and cybersecurity shall be identified and implemented."}],"props":[{"name":"label","value":"GV.OC-03.1"},{"name":"sort-id","value":"01-001-003-003"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"}],"title":"Requirement GV.OC-03.1"}]}]},{"id":"GV.RM","parts":[{"name":"overview","prose":"The organisation's priorities, constraints, risk tolerance and appetite statements, and assumptions, are established, communicated, and used to support operational risk decisions."}],"props":[{"name":"label","value":"GV.RM"},{"name":"sort-id","value":"01-002"}],"title":"Risk Management Strategy","groups":[{"id":"GV.RM-03","props":[{"name":"label","value":"GV.RM-03"},{"name":"sort-id","value":"01-002-008"}],"title":"Cybersecurity risk management activities and outcomes are included in enterprise risk management processes.","controls":[{"id":"GV.RM-03.1","parts":[{"id":"GV.RM-03.1_smt","name":"statement","prose":"As part of the organisation-wide risk management strategy, a comprehensive strategy to manage information and cybersecurity risks shall be developed and updated when changes occur."}],"props":[{"name":"label","value":"GV.RM-03.1"},{"name":"sort-id","value":"01-002-008-012"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"}],"title":"Requirement GV.RM-03.1"}]}]},{"id":"GV.RR","parts":[{"name":"overview","prose":"Cybersecurity roles, responsibilities, and authorities to foster accountability, performance assessment, and continuous improvement are established and communicated."}],"props":[{"name":"label","value":"GV.RR"},{"name":"sort-id","value":"01-003"}],"title":"Roles, Responsibilities and Authorities","groups":[{"id":"GV.RR-04","props":[{"name":"label","value":"GV.RR-04"},{"name":"sort-id","value":"01-003-014"}],"title":"Cybersecurity is included in human resources practices.","controls":[{"id":"GV.RR-04.1","parts":[{"id":"GV.RR-04.1_smt","name":"statement","prose":"Personnel with access to the organisation’s most critical information or technology shall be authenticated.."}],"props":[{"name":"label","value":"GV.RR-04.1"},{"name":"sort-id","value":"01-003-014-021"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"}],"title":"Requirement GV.RR-04.1"}]}]},{"id":"GV.PO","parts":[{"name":"overview","prose":"Organisational cybersecurity policy is established, communicated, and enforced."}],"props":[{"name":"label","value":"GV.PO"},{"name":"sort-id","value":"01-004"}],"title":"Policy","groups":[{"id":"GV.PO-01","props":[{"name":"label","value":"GV.PO-01"},{"name":"sort-id","value":"01-004-015"}],"title":"Policy for managing cybersecurity risks is established based on Organisational context, cybersecurity strategy, and priorities and is communicated and enforced.","controls":[{"id":"GV.PO-01.1","parts":[{"id":"GV.PO-01.1_smt","name":"statement","prose":"Policies and procedures for managing information and cybersecurity shall be established, documented, reviewed, approved, updated when changes occur, communicated and enforced."}],"props":[{"name":"label","value":"GV.PO-01.1"},{"name":"sort-id","value":"01-004-015-023"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"}],"title":"Requirement GV.PO-01.1"}]}]}]},{"id":"ID","props":[{"name":"sort-id","value":"02"}],"title":"IDENTIFY","groups":[{"id":"ID.AM","parts":[{"name":"overview","prose":"Assets (e.g., data, hardware, software, systems, facilities, services, people) that enable the organisation to achieve business purposes are identified and managed consistent with their relative importance to organisational objectives and the organisation's risk strategy."}],"props":[{"name":"label","value":"ID.AM"},{"name":"sort-id","value":"02-001"}],"title":"Asset Management","groups":[{"id":"ID.AM-01","props":[{"name":"label","value":"ID.AM-01"},{"name":"sort-id","value":"02-001-001"}],"title":"Inventories of hardware managed by the organisation are maintained.","controls":[{"id":"ID.AM-01.1","parts":[{"id":"ID.AM-01.1_smt","name":"statement","prose":"An inventory of physical and virtual infrastructure assets—such as hardware, network devices, and cloud-hosted environments—that support information processing shall be documented, reviewed, and updated as changes occur."}],"props":[{"name":"label","value":"ID.AM-01.1"},{"name":"sort-id","value":"02-001-001-001"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"}],"title":"Requirement ID.AM-01.1"}]},{"id":"ID.AM-02","props":[{"name":"label","value":"ID.AM-02"},{"name":"sort-id","value":"02-001-002"}],"title":"Inventories of software, services, and systems managed by the organisation are maintained.","controls":[{"id":"ID.AM-02.1","parts":[{"id":"ID.AM-02.1_smt","name":"statement","prose":"An inventory of software, digital services, and business systems used within the organisation shall be documented, reviewed, and updated as changes occur."}],"props":[{"name":"label","value":"ID.AM-02.1"},{"name":"sort-id","value":"02-001-002-005"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"}],"title":"Requirement ID.AM-02.1"}]},{"id":"ID.AM-5","props":[{"name":"label","value":"ID.AM-5"},{"name":"sort-id","value":"02-001-005"}],"title":"Assets are prioritised based on classification, criticality, resources, and impact on the mission","controls":[{"id":"ID.AM-5.1","parts":[{"id":"ID.AM-5.1_smt","name":"statement","prose":"The organisation’s assets shall be prioritised based on classification, criticality, and business value."}],"props":[{"name":"label","value":"ID.AM-5.1"},{"name":"sort-id","value":"02-001-005-014"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"important"}],"title":"Requirement ID.AM-5.1"}]},{"id":"ID.AM-07","props":[{"name":"label","value":"ID.AM-07"},{"name":"sort-id","value":"02-001-006"}],"title":"Inventories of data and corresponding metadata for designated data types are maintained","controls":[{"id":"ID.AM-07.1","parts":[{"id":"ID.AM-07.1_smt","name":"statement","prose":"Data that the organisation stores and uses shall be identified.."}],"props":[{"name":"label","value":"ID.AM-07.1"},{"name":"sort-id","value":"02-001-006-015"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"}],"title":"Requirement ID.AM-07.1"}]},{"id":"ID.AM-08","props":[{"name":"label","value":"ID.AM-08"},{"name":"sort-id","value":"02-001-007"}],"title":"Systems, hardware, software, services, and data are managed throughout their life cycles.","controls":[{"id":"ID.AM-08.2","parts":[{"id":"ID.AM-08.2_smt","name":"statement","prose":"Patches and security updates for operating systems and critical system components shall be installed."}],"props":[{"name":"label","value":"ID.AM-08.2"},{"name":"sort-id","value":"02-001-007-017"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"},{"ns":"http://cyfun.eu/ns/oscal","name":"key-measures","value":"true"}],"title":"Requirement ID.AM-08.2"}]}]},{"id":"ID.RA","parts":[{"name":"overview","prose":"The cybersecurity risk to the organisation, assets, and individuals is understood by the organisation."}],"props":[{"name":"label","value":"ID.RA"},{"name":"sort-id","value":"02-002"}],"title":"Risk Assessment","groups":[{"id":"ID.RA-01","props":[{"name":"label","value":"ID.RA-01"},{"name":"sort-id","value":"02-002-008"}],"title":"Vulnerabilities in assets are identified, validated, and recorded.","controls":[{"id":"ID.RA-01.1","parts":[{"id":"ID.RA-01.1_smt","name":"statement","prose":"Threats and vulnerabilities shall be identified in all relevant assets, including software, network and system architectures, and facilities that house critical computing assets."}],"props":[{"name":"label","value":"ID.RA-01.1"},{"name":"sort-id","value":"02-002-008-029"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"}],"title":"Requirement ID.RA-01.1"}]},{"id":"ID.RA-05","props":[{"name":"label","value":"ID.RA-05"},{"name":"sort-id","value":"02-002-011"}],"title":"Threats, vulnerabilities, likelihoods, and impacts are used to understand inherent risk and inform risk response prioritisation.","controls":[{"id":"ID.RA-05.1","parts":[{"id":"ID.RA-05.1_smt","name":"statement","prose":"The organisation shall conduct risk assessments in which risk is determined by threats, vulnerabilities and the impact on business processes and assets."}],"props":[{"name":"label","value":"ID.RA-05.1"},{"name":"sort-id","value":"02-002-011-038"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"}],"title":"Requirement ID.RA-05.1"}]}]},{"id":"ID.IM","parts":[{"name":"overview","prose":"Improvements to organisational cybersecurity risk management processes, procedures and activities are identified across all CyFun® functions."}],"props":[{"name":"label","value":"ID.IM"},{"name":"sort-id","value":"02-003"}],"title":"Improvement","groups":[{"id":"ID.IM-03","props":[{"name":"label","value":"ID.IM-03"},{"name":"sort-id","value":"02-003-015"}],"title":"Improvements are identified from execution of operational processes, procedures, and activities.","controls":[{"id":"ID.IM-03.1","parts":[{"id":"ID.IM-03.1_smt","name":"statement","prose":"The organisation shall conduct risk assessments in which risk is determined by threats, vulnerabilities and the impact on business processes and assets."}],"props":[{"name":"label","value":"ID.IM-03.1"},{"name":"sort-id","value":"02-003-015-045"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"}],"title":"Requirement ID.IM-03.1"}]}]}]},{"id":"PR","props":[{"name":"sort-id","value":"03"}],"title":"PROTECT","groups":[{"id":"PR.AA","parts":[{"name":"overview","prose":"Access to physical and logical assets is limited to authorised users, services, and hardware and managed commensurate with the assessed risk of unauthorised access."}],"props":[{"name":"label","value":"PR.AA"},{"name":"sort-id","value":"03-001"}],"title":"Identity Management, Authentication, and Access Control","groups":[{"id":"PR.AA-01","props":[{"name":"label","value":"PR.AA-01"},{"name":"sort-id","value":"03-001-001"}],"title":"Identities and credentials for authorised users, services, and hardware are managed by the organisation.","controls":[{"id":"PR.AA-01.1","parts":[{"id":"PR.AA-01.1_smt","name":"statement","prose":"Identities and credentials for authorised users, services, and hardware shall be managed."}],"props":[{"name":"label","value":"PR.AA-01.1"},{"name":"sort-id","value":"03-001-001-001"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"},{"ns":"http://cyfun.eu/ns/oscal","name":"key-measures","value":"true"}],"title":"Requirement PR.AA-01.1"}]},{"id":"PR.AA-03","props":[{"name":"label","value":"PR.AA-03"},{"name":"sort-id","value":"03-001-003"}],"title":"Users, services, and hardware are authenticated.","controls":[{"id":"PR.AA-03.1","parts":[{"id":"PR.AA-03.1_smt","name":"statement","prose":"All wireless access points used by the organisation, including those providing guest access, shall be securely configured, managed, and monitored to prevent unauthorised access and ensure network integrity."}],"props":[{"name":"label","value":"PR.AA-03.1"},{"name":"sort-id","value":"03-001-003-008"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"}],"title":"Requirement PR.AA-03.1"},{"id":"PR.AA-03.2","parts":[{"id":"PR.AA-03.2_smt","name":"statement","prose":"Multi-Factor Authentication (MFA) shall be required to access the organisation's networks remotely."}],"props":[{"name":"label","value":"PR.AA-03.2"},{"name":"sort-id","value":"03-001-003-009"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"},{"ns":"http://cyfun.eu/ns/oscal","name":"key-measures","value":"true"}],"title":"Requirement PR.AA-03.2"}]},{"id":"PR.AA-05","props":[{"name":"label","value":"PR.AA-05"},{"name":"sort-id","value":"03-001-005"}],"title":"Access permissions, entitlements, and authorisations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties.","controls":[{"id":"PR.AA-05.1","parts":[{"id":"PR.AA-05.1_smt","name":"statement","prose":"Access permissions, rights, and authorisations shall be defined, managed, enforced and reviewed."}],"props":[{"name":"label","value":"PR.AA-05.1"},{"name":"sort-id","value":"03-001-005-014"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"},{"ns":"http://cyfun.eu/ns/oscal","name":"key-measures","value":"true"}],"title":"Requirement PR.AA-05.1"},{"id":"PR.AA-05.2","parts":[{"id":"PR.AA-05.2_smt","name":"statement","prose":"It shall be determined who needs access to the organisation's business-critical information and technology and the means to gain access."}],"props":[{"name":"label","value":"PR.AA-05.2"},{"name":"sort-id","value":"03-001-005-015"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"},{"ns":"http://cyfun.eu/ns/oscal","name":"key-measures","value":"true"}],"title":"Requirement PR.AA-05.2"},{"id":"PR.AA-05.3","parts":[{"id":"PR.AA-05.3_smt","name":"statement","prose":"Access rights, privileges and authorisations must be restricted to the systems and specific information needed to perform the tasks (the principle of Least Privilege)."}],"props":[{"name":"label","value":"PR.AA-05.3"},{"name":"sort-id","value":"03-001-005-016"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"},{"ns":"http://cyfun.eu/ns/oscal","name":"key-measures","value":"true"}],"title":"Requirement PR.AA-05.3"},{"id":"PR.AA-05.4","parts":[{"id":"PR.AA-05.4_smt","name":"statement","prose":"No-one shall have administrative privileges for routine day-to-day tasks."}],"props":[{"name":"label","value":"PR.AA-05.4"},{"name":"sort-id","value":"03-001-005-017"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"},{"ns":"http://cyfun.eu/ns/oscal","name":"key-measures","value":"true"}],"title":"Requirement PR.AA-05.4"}]},{"id":"PR.AA-06","props":[{"name":"label","value":"PR.AA-06"},{"name":"sort-id","value":"03-001-006"}],"title":"Physical access to assets is managed, monitored, and enforced commensurate with risk.","controls":[{"id":"PR.AA-06.1","parts":[{"id":"PR.AA-06.1_smt","name":"statement","prose":"Physical access to all organisational assets, including critical zones, should be managed, monitored, and enforced based on risk."}],"props":[{"name":"label","value":"PR.AA-06.1"},{"name":"sort-id","value":"03-001-006-023"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"}],"title":"Requirement PR.AA-06.1"}]}]},{"id":"PR.AT","parts":[{"name":"overview","prose":"The organisation's personnel are provided with cybersecurity awareness and training, so that they can perform their cybersecurity-related tasks"}],"props":[{"name":"label","value":"PR.AT"},{"name":"sort-id","value":"03-002"}],"title":"Awareness and Training","groups":[{"id":"PR.AT-01","props":[{"name":"label","value":"PR.AT-01"},{"name":"sort-id","value":"03-002-007"}],"title":"Personnel are provided with awareness and training so that they possess the knowledge and skills to perform general tasks with cybersecurity risks in mind","controls":[{"id":"PR.AT-01.1","parts":[{"id":"PR.AT-01.1_smt","name":"statement","prose":"The organisation shall establish and maintain a cybersecurity awareness and training programme to ensure that all personnel understand how to perform their tasks securely and responsibly."}],"props":[{"name":"label","value":"PR.AT-01.1"},{"name":"sort-id","value":"03-002-007-027"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"}],"title":"Requirement PR.AT-01.1"}]}]},{"id":"PR.DS","parts":[{"name":"overview","prose":"Data are managed consistent with the organisation's risk strategy to protect the confidentiality, integrity, and availability of information"}],"props":[{"name":"label","value":"PR.DS"},{"name":"sort-id","value":"03-003"}],"title":"Data Security","groups":[{"id":"PR.DS-01","props":[{"name":"label","value":"PR.DS-01"},{"name":"sort-id","value":"03-003-009"}],"title":"The confidentiality, integrity, and availability of data-at-rest are protected.","controls":[{"id":"PR.DS-01.9","parts":[{"id":"PR.DS-01.9_smt","name":"statement","prose":"Enterprise assets shall be disposed of safely."}],"props":[{"name":"label","value":"PR.DS-01.9"},{"name":"sort-id","value":"03-003-009-040"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"}],"title":"Requirement PR.DS-01.9"}]},{"id":"PR.DS-11","props":[{"name":"label","value":"PR.DS-11"},{"name":"sort-id","value":"03-003-012"}],"title":"Backups of data are created, protected, maintained, and tested.","controls":[{"id":"PR.DS-11.1","parts":[{"id":"PR.DS-11.1_smt","name":"statement","prose":"Backups for the organisation's business critical data shall be performed and stored on a different system from the device on which the original data resides."}],"props":[{"name":"label","value":"PR.DS-11.1"},{"name":"sort-id","value":"03-003-012-044"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"},{"ns":"http://cyfun.eu/ns/oscal","name":"key-measures","value":"true"}],"title":"Requirement PR.DS-11.1"}]}]},{"id":"PR.PS","parts":[{"name":"overview","prose":"The hardware, software (e.g., firmware, operating systems, applications), and services of physical and virtual platforms are managed consistent with the organisation's risk strategy to protect their confidentiality, integrity, and availability."}],"props":[{"name":"label","value":"PR.PS"},{"name":"sort-id","value":"03-004"}],"title":"Platform Security","groups":[{"id":"PR.PS-04","props":[{"name":"label","value":"PR.PS-04"},{"name":"sort-id","value":"03-004-016"}],"title":"Log records are generated and made available for continuous monitoring.","controls":[{"id":"PR.PS-04.1","parts":[{"id":"PR.PS-04.1_smt","name":"statement","prose":"Logs shall be maintained, documented, and rmonitored."}],"props":[{"name":"label","value":"PR.PS-04.1"},{"name":"sort-id","value":"03-004-016-056"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"},{"ns":"http://cyfun.eu/ns/oscal","name":"key-measures","value":"true"},{"ns":"http://cyfun.eu/ns/oscal","name":"governance-measures","value":"true"}],"title":"Requirement PR.PS-04.1"}]},{"id":"PR.PS-05","props":[{"name":"label","value":"PR.PS-05"},{"name":"sort-id","value":"03-004-017"}],"title":"Installation and execution of unauthorised software are prevented.","controls":[{"id":"PR.PS-05.1","parts":[{"id":"PR.PS-05.1_smt","name":"statement","prose":"Web and e-mail filters shall be installed and used."}],"props":[{"name":"label","value":"PR.PS-05.1"},{"name":"sort-id","value":"03-004-017-061"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"}],"title":"Requirement PR.PS-05.1"}]}]},{"id":"PR.IR","parts":[{"name":"overview","prose":"Security architectures are managed with the organisation's risk strategy to protect asset confidentiality, integrity, and availability, and organisational resilience."}],"props":[{"name":"label","value":"PR.IR"},{"name":"sort-id","value":"03-005"}],"title":"Technology Infrastructure Resilience","groups":[{"id":"PR.IR-01","props":[{"name":"label","value":"PR.IR-01"},{"name":"sort-id","value":"03-005-019"}],"title":"Networks and environments are protected from unauthorised logical access and usage.","controls":[{"id":"PR.IR-01.1","parts":[{"id":"PR.IR-01.1_smt","name":"statement","prose":"Firewalls shall be installed, configured, and actively maintained on all networks used by the organisation to protect against unauthorised access and cyber threats."}],"props":[{"name":"label","value":"PR.IR-01.1"},{"name":"sort-id","value":"03-005-019-067"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"},{"ns":"http://cyfun.eu/ns/oscal","name":"key-measures","value":"true"}],"title":"Requirement PR.IR-01.1"},{"id":"PR.IR-01.2","parts":[{"id":"PR.IR-01.2_smt","name":"statement","prose":"To safeguard critical systems, organisations shall implement network segmentation and segregation aligned with trust boundaries and asset criticality, thereby limiting threat propagation and enforcing strict access control."}],"props":[{"name":"label","value":"PR.IR-01.2"},{"name":"sort-id","value":"03-005-019-068"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"},{"ns":"http://cyfun.eu/ns/oscal","name":"key-measures","value":"true"}],"title":"Requirement PR.IR-01.2"}]}]}]},{"id":"DE","props":[{"name":"sort-id","value":"04"}],"title":"DETECT","groups":[{"id":"DE.CM","parts":[{"name":"overview","prose":"Assets are monitored to find anomalies, indicators of compromise, and other potentially adverse events."}],"props":[{"name":"label","value":"DE.CM"},{"name":"sort-id","value":"04-001"}],"title":"Continuous Monitoring","groups":[{"id":"DE.CM-01","props":[{"name":"label","value":"DE.CM-01"},{"name":"sort-id","value":"04-001-001"}],"title":"Networks and network services are monitored to find potentially adverse events.","controls":[{"id":"DE.CM-01.1","parts":[{"id":"DE.CM-01.1_smt","name":"statement","prose":"Firewalls shall be installed and operated at the network boundaries, including endpoint firewalls."}],"props":[{"name":"label","value":"DE.CM-01.1"},{"name":"sort-id","value":"04-001-001-001"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"}],"title":"Requirement DE.CM-01.1"},{"id":"DE.CM-01.2","parts":[{"id":"DE.CM-01.2_smt","name":"statement","prose":"Anti-virus, -spyware, and other -malware programs shall be installed and updated."}],"props":[{"name":"label","value":"DE.CM-01.2"},{"name":"sort-id","value":"04-001-001-002"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"},{"ns":"http://cyfun.eu/ns/oscal","name":"key-measures","value":"true"}],"title":"Requirement DE.CM-01.2"}]},{"id":"DE.CM-03","props":[{"name":"label","value":"DE.CM-03"},{"name":"sort-id","value":"04-001-003"}],"title":"Personnel activity and technology usage are monitored to find potentially adverse events.","controls":[{"id":"DE.CM-03-1","parts":[{"id":"DE.CM-03-1_smt","name":"statement","prose":"End point and network protection tools to monitor end-user behaviour for dangerous activity shall be implemented."}],"props":[{"name":"label","value":"DE.CM-03-1"},{"name":"sort-id","value":"04-001-003-007"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"}],"title":"Requirement DE.CM-03-1"}]}]},{"id":"DE.AE","parts":[{"name":"overview","prose":"Anomalies, indicators of compromise, and other potentially adverse events are analysed to characterise the events and detect cybersecurity incidents."}],"props":[{"name":"label","value":"DE.AE"},{"name":"sort-id","value":"04-002"}],"title":"Adverse Event Analysis","groups":[{"id":"DE.AE-03","props":[{"name":"label","value":"DE.AE-03"},{"name":"sort-id","value":"04-002-007"}],"title":"Information is correlated from multiple sources.","controls":[{"id":"DE.AE-03.1","parts":[{"id":"DE.AE-03.1_smt","name":"statement","prose":"The logging functionality of protection and detection tools shall be enabled. Logs shall be backed up and retained for a predefined period, and regularly reviewed to identify unusual or potentially harmful activity."}],"props":[{"name":"label","value":"DE.AE-03.1"},{"name":"sort-id","value":"04-002-007-017"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"},{"ns":"http://cyfun.eu/ns/oscal","name":"key-measures","value":"true"}],"title":"Requirement DE.AE-03.1"}]}]}]},{"id":"RS","props":[{"name":"sort-id","value":"05"}],"title":"RESPOND","groups":[{"id":"RS.MA","parts":[{"name":"overview","prose":"Responses to detected cybersecurity incidents are managed."}],"props":[{"name":"label","value":"RS.MA"},{"name":"sort-id","value":"05-001"}],"title":"Incident Management","groups":[{"id":"RS.MA-01","props":[{"name":"label","value":"RS.MA-01"},{"name":"sort-id","value":"05-001-001"}],"title":"The incident response plan is executed in coordination with relevant third parties once an incident is declared.","controls":[{"id":"RS.MA-01.1","parts":[{"id":"RS.MA-01.1_smt","name":"statement","prose":"An incident response plan, including defined roles, responsibilities, and authorities, shall be executed during or after a cybersecurity event affecting the organisation's critical systems."}],"props":[{"name":"label","value":"RS.MA-01.1"},{"name":"sort-id","value":"05-001-001-001"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"}],"title":"Requirement RS.MA-01.1"}]}]},{"id":"RS.CO","parts":[{"name":"overview","prose":"Response activities are coordinated with internal and external stakeholders as required by laws, regulations, or policies."}],"props":[{"name":"label","value":"RS.CO"},{"name":"sort-id","value":"05-003"}],"title":"Incident Response Reporting and Communication","groups":[{"id":"RS.CO-02","props":[{"name":"label","value":"RS.CO-02"},{"name":"sort-id","value":"05-003-009"}],"title":"Internal and external stakeholders are notified of incidents.","controls":[{"id":"RS.CO-02.1","parts":[{"id":"RS.CO-02.1_smt","name":"statement","prose":"Information about cybersecurity incidents shall be communicated to employees in a way that is clear and easy to understand."}],"props":[{"name":"label","value":"RS.CO-02.1"},{"name":"sort-id","value":"05-003-009-011"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"}],"title":"Requirement RS.CO-02.1"}]}]}]},{"id":"RC","props":[{"name":"sort-id","value":"06"}],"title":"RECOVER","groups":[{"id":"RC.RP","parts":[{"name":"overview","prose":"Restoration activities are performed to ensure operational availability of systems and services affected by cybersecurity incidents."}],"props":[{"name":"label","value":"RC.RP"},{"name":"sort-id","value":"06-001"}],"title":"Incident Recovery Plan Execution","groups":[{"id":"RC.RP-01","props":[{"name":"label","value":"RC.RP-01"},{"name":"sort-id","value":"06-001-001"}],"title":"The recovery portion of the incident response plan is executed once initiated from the incident response process.","controls":[{"id":"RC.RP-01.1","parts":[{"id":"RC.RP-01.1_smt","name":"statement","prose":"A recovery process for disasters and information/cybersecurity incidents shall be developed and executed."}],"props":[{"name":"label","value":"RC.RP-01.1"},{"name":"sort-id","value":"06-001-001-001"},{"ns":"http://cyfun.eu/ns/oscal","name":"assurance-level","value":"basic"}],"title":"Requirement RC.RP-01.1"}]}]}]}]}}